Thu Jul 2 10:11:09 UTC 2015
Chris Olson <chris_e_olson at yahoo.com>

We have recently been asked to evaluate some computing machinery for
a new project. This particular end user has very limited experience
with the stated security requirements in a lights-out environment.
Their primary work (as well as mine) in the past has been with very
small, simple networks of desktop machines and a few servers with
extremely limited access.  For the most part, their admins haverefused to use any maintenance connectivity to servers other thanthe primary serial ports.

There is a concern about system security primarily driven by recent
information searches performed by end user admins and included below.

IPMI/BMC Security Issues
http://www.google.com   Search:  IPMI "Security Holes" -- Hits: 14,500
http://www.google.com   Search:  IPMI BMC "Security Holes" -- Hits: 4950

BIOS Security Issues
http://www.google.com   Search:  BIOS "Security Holes" -- Hits: 342,000

My initial recommendation was to use a totally separate network for any
service processors within the servers that implement IPMI/BMC capabilities.
This has been standard practice in most systems I have worked on in the
past, and has allowed certification with essentially no problems. The BIOS
concern seems to be another issue to be addressed separately.

Any connectivity and access to a system brings security issues.  The list
from these searches is huge.  Are there specific things that must always be
addressed for system security besides keeping junior admins off the server
supporting the maintenance network?

Thanks in advance for any feedback and best regards.